Schools bombarded with spear-phishing attacks
More than 1,000 educational institutions, such as schools, colleges and universities, have been targeted by over 3.5 million spear-phishing attacks from June through to September 2020. This is according to new research from Barracuda Networks, the trusted partner and leading provider for cloud-enabled security solutions, released in their most recent ‘Threat Spotlight’.
Spear-phishing is a personalised phishing attack that targets a specific organisation or individual – the cost of a spear phishing attack can be devastating, as demonstrated by the recent example where thousands of Lancaster University students’ confidential data was accessed subsequent to a successful phishing attack.
When breaking down the types of spear-phishing attacks facing schools and Universities, Barracuda researchers found that educational institutions are more than twice as likely to be targeted by a business email compromise (BEC) attack than an average organisation. In fact, more than one in four spear-phishing attacks that targeted the education sector was a carefully crafted BEC attack. For reference, just 11% of spear-phishing attacks across all sectors are reported to be BEC attacks.
Additionally, phishing attacks made up 41% of all attacks targeting education, 28% were made up by ‘scamming’ attempts, and three percent were said to be related to ‘extortion’.
Barracuda researchers also observed that there was a drop-off in spear-phishing attacks against the education sector in July and August when schools were closed for summer break - these months saw a drop in cyber attacks of ten to 14% below average. However, June and September, which are usually the last and first month’s of the academic year, saw a surge in spear-phishing attacks: 11% higher than the average in June and 13% higher in September.
In light of COVID-19, the ‘Threat Spotlight’ also observed an increasing number of email spear-phishing attacks using topical subject headings to grab victims’ attention. These include: ‘COVID19 NEW UPDATES’; ‘COVID-19 Update Follow Up Right Now’; ‘COVID-19 SCHOOL MEETING’ and ‘Re: Stay Safe’.
Michael Flouton, VP Email Protection for Barracuda Networks, commented:“Cyber attackers have come to understand that education institutions don’t often have the same level of security sophistication as in other organisations, and therefore, they will send carefully crafted email messages designed to trick unknowing and untrained victims into leaking personal or confidential information, such as login credentials, student records, or payment information.
“In light of COVID-19 and the transition to remote learning environments, the quantity of data stored on school and University servers has surged, and thus, so too has the quantity of cyber attacks facing them.
“Therefore, schools and Universities must combat this threat by investing in email security that leverages artificial intelligence to help identify unusual senders, intercept suspicious requests and block spear-phishing attacks. Additionally, account takeover protection, security awareness education for staff and students, and a reconstruction of internal policies, are all imperative to preventing human error from leading to costly mistakes in the future.”